CN110770707A - Device and method for controlling a vehicle module - Google Patents

Device and method for controlling a vehicle module Download PDF

Info

Publication number
CN110770707A
CN110770707A CN201880040724.5A CN201880040724A CN110770707A CN 110770707 A CN110770707 A CN 110770707A CN 201880040724 A CN201880040724 A CN 201880040724A CN 110770707 A CN110770707 A CN 110770707A
Authority
CN
China
Prior art keywords
information
core
processor
signal
check
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201880040724.5A
Other languages
Chinese (zh)
Inventor
比伦特·萨里
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zf Frederick Harfin Co Ltd
ZF Friedrichshafen AG
Original Assignee
Zf Frederick Harfin Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to DE102017210156.3 priority Critical
Priority to DE102017210156.3A priority patent/DE102017210156B4/en
Application filed by Zf Frederick Harfin Co Ltd filed Critical Zf Frederick Harfin Co Ltd
Priority to PCT/EP2018/062496 priority patent/WO2018233934A1/en
Publication of CN110770707A publication Critical patent/CN110770707A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/04Monitoring the functioning of the control system
    • B60W50/045Monitoring control system parameters
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/0098Details of control systems ensuring comfort, safety or stability not otherwise provided for
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/186Passive fault masking when reading multiple copies of the same data
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06NCOMPUTER SYSTEMS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computer systems based on biological models
    • G06N3/02Computer systems based on biological models using neural network models
    • G06N3/04Architectures, e.g. interconnection topology
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2420/00Indexing codes relating to the type of sensors based on the principle of their operation
    • B60W2420/42Image sensing, e.g. optical camera
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2420/00Indexing codes relating to the type of sensors based on the principle of their operation
    • B60W2420/52Radar, Lidar
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2556/00Input parameters relating to data
    • B60W2556/35Data fusion
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0736Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
    • G06F11/0739Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/187Voting techniques
    • G06F11/188Voting techniques where exact match is not required

Abstract

The invention provides a device for controlling a vehicle module with plausible information, having a multicore security processor which is designed to check the plausibility of the processed information. Furthermore, a control unit for a vehicle module is provided, which has a power processor, the evaluated information of which is checked with regard to plausibility in the device according to the invention via an information interface. Furthermore, a driver assistance method is provided, in which the controller according to the invention is used.

Description

Device and method for controlling a vehicle module
Technical Field
The invention relates to a device for actuating a vehicle module according to the preamble of claim 1, a controller for a vehicle module according to claim 8 and a driver assistance method according to claim 16.
Background
A controller (also referred to as an electronic control unit, ECU for short) is an electronic component for control and regulation. In the automotive field, ECUs are used in a plurality of electronic areas for controlling and regulating vehicle functions. The ECUs known from the prior art control and regulate vehicle functions, respectively, for example the function for ejecting a CD from the CD player of a car radio by one ECU and the function for adjusting the radio transmitter station by another ECU.
In today's semi-autonomous vehicles, more than 100 functions are controlled and regulated during driving by the respective ECU. Each additional function to be added requires an additional ECU. In the development of vehicles oriented toward highly automated, fully automated and autonomous driving, more functions also emerge that must be controlled and regulated. In particular, with regard to a plurality of information items generated in road traffic, a large number of functions must already be controlled and regulated in the case of semi-automatically driven vehicles in order to be able to detect and evaluate all information items in order to be able to realize safe driving.
Since the ECU consumes energy in the form of computing power, the energy consumption rises with each function to be controlled and regulated. The aim is not to control and regulate each individual function with a separate ECU, but rather to integrate a plurality of functions connected to one another into one ECU in order to reduce the energy consumption on the one hand and to evaluate the information more efficiently on the other hand.
Functions which are linked to one another occur in the vehicle region in which the functional units are formed. Such a vehicle area is referred to as a vehicle area. Examples for the vehicle domain are infotainment systems, chassis, drives, interior trim or security. The functions for infotainment systems are, for example, running a radio, a CD player, establishing a telephone connection, connecting to a hands-free facility, etc. In the case where a music CD is being played, when a call connection is established, music is stopped, for example. Such an ECU that controls and regulates a vehicle domain, which in turn is a plurality of functions in connection with each other, is called a domain ECU.
An ECU for a vehicle must reliably and safely provide the requested function and must be available for use in the area of chassis, drive and safety, among other things. Reliability means that the vehicle should take the occupant from the starting point to the target point without failure, provided that the vehicle is operated according to regulations at the starting point. Safety means in principle that there is no danger to personnel by the vehicle. Availability means that the vehicle is as ready as possible to operate and is not continuously located in the workshop as a result of a malfunction.
The Functional Safety Norm (Functional Safety Norm) ISO26262, which is common in the automotive field, also requires that, in the event of a failure of an ECU, in particular an electrical failure, for example a failure of the ECU due to a sudden voltage drop, countermeasures in the form of Safety measures should be taken in order to avoid the risk of unsupported injuries. For example, a redundant power supply can be used to avoid fault conditions caused by voltage dips.
For semi-automatic vehicles, a domain ECU (also referred to as advanced driver assistance system, ADAS for short) for driver assistance systems is the subject of current research. The ADAS system detects the environment of the vehicle, for example by means of an environment detection sensor, such as a camera, evaluates the environment and forwards corresponding information to the vehicle module in order to assist the driver in driving safely. The domain ECU for the ADAS system is called ADAS-domain ECU. The functions controlled and regulated by the ADAS-domain ECU are, for example, the recognition of lane markings, vehicles, traffic signs, pedestrians, etc. These functions are centrally controlled and regulated by the ADAS-domain ECU.
For domain ECUs, in particular ADAS-domain ECUs, that process data from environment detection sensors, there is a safety risk even when the ECU is in an electrically non-faulty state. For example, the camera can be in a fault-free state as an electronic system, but can nevertheless misinterpret and misinterpret the detected object.
Disclosure of Invention
The invention has been made herein. The aim of the invention is to improve the security of domain ECUs known from the prior art, in particular ADAS-domain ECUs.
This object is achieved by a device having the features of claim 1, by a controller having the features of claim 8 and by a driver assistance method having the features of claim 16.
Advantageous embodiments and refinements are specified in the dependent claims.
The device for controlling a vehicle module has a safety processor with at least one information interface at an input of the safety processor and a control interface at an output of the safety processor, wherein the safety processor has at least one first core, a second core and a third core. It is essential to the invention that the first core is designed to carry out a first plausibility check of at least one first message conducted to the safety processor via the information interface and at least one second message conducted to the safety processor via the information interface, the second core is designed to carry out a second plausibility check of the first message and the second message, and the third core is designed to compare the result of the transfer of the first plausibility check carried out on the first core to the third core with the result of the transfer of the second plausibility check carried out on the second core to the third core and to transfer the message for which plausibility is confirmed in the first plausibility check and in the second plausibility check to the control interface, wherein the vehicle module can be controlled via the control interface using the information for which plausibility is confirmed.
The vehicle module is a component of a vehicle. For example, the steering wheel of a vehicle is a vehicle module. Electrical/electronic systems, referred to as E/E systems for short, are likewise vehicle modules. The functional unit, which may be composed of a plurality of components, also forms a vehicle module.
A processor is an electronic circuit that detects and processes instructions. The processor may use the results of the processing of the instructions to control and regulate other circuits and to facilitate the process herein.
One part of the processor is called the core, which forms the computing unit and which itself is capable of implementing one or more instructions.
The secure processor is thus a multicore processor, in which a plurality of cores are arranged on a single chip, that is to say on a semiconductor component. Multi-core processors achieve higher computational power and are cheaper to implement in one chip than multiple individual cores. The security processor is also called a multi-core micro control unit, abbreviated as multi-core (multicore) MCU.
An interface is a device between at least two functional units, on which either only logical variables, such as data, or physical variables, such as electrical signals, are exchanged, either only unidirectionally or bidirectionally. The switching can be done either analog or digitally. Interfaces may exist between software and software, between hardware and hardware, and between software and hardware and between hardware and software.
A plausibility check is a measure with which it is checked, for a value or in general for a result, in a rough evaluation, whether it is in general plausible, that is to say acceptable, rational and/or understandable. The plausibility check can be implemented both in hardware and in software. The plausibility check is in particular a monitoring of the signals, which should only occur in a specific combination and sequence. For example, the measured values can be checked with respect to their reasonable value ranges and their time profile. A plausibility test is also a plausibility check whether a variable belongs to a specific data type or is within a predetermined value range or a predetermined value range. In the plausibility check, two or more sensors that detect different information are also compared with one another during operation in order to detect disturbances, such as deviations or failures. Furthermore, short circuits and/or earthing can also be detected by means of a plausibility check.
Information is a subset of the knowledge that a sender may communicate to a receiver via a particular medium. The first information is preferably different from the second information. For example, the object in the digital camera image is, for example, specific first image information, and the camera sends the digital camera image to the processor via the power supply for further processing. The spatial separation of the object from the camera forms the second information.
When the content of the first information is acceptable in terms of the content of the second information, then the first information is legitimate for the second information. When the first information is in harmony with the content of the second information in terms of its content, then the first information is legitimate for the second information.
The first plausibility check and the second plausibility check may differ in their respective ways. With different rationality checks, the hardware and software used to perform the rationality checks can be checked for faults. For example, the measured value may be checked as an integer in the first plausibility check and as a floating point in the second plausibility check.
The device according to the invention has the advantage that the vehicle module is not directly controlled with the processed information. Although the processing of information may itself conform to ISO 26262. But such information may present additional security risks that are not reflected by ISO 26262. For example, the environment information may erroneously reflect the environment. In order to avoid these additional security risks, it is first checked in the security processor whether the information is legitimate in order to rule out further security risks. It is established by the plausibility check whether the hardware and software are operating without faults and which information is correct for the safe driving of the vehicle module. If the information is identified as having an error in the plausibility check, the information is not forwarded to the control interface. Thus, only reasonable information is used to actuate the vehicle module. The vehicle module that is controlled with the information that is determined to be appropriate is then in a safe state. The control with information also means that, if there are a plurality of information items, these information items are first combined and the vehicle module is controlled with the information item or information items resulting from the combination. The invention thus provides, inter alia, a security architecture for ADAS-domain ECUs.
In the event of a false identification of the environment, the vehicle module can therefore be brought into a safe state, in particular, with the device according to the invention, since in this case the vehicle module is controlled with reasonable information. What can be achieved by redundant signal preparation for different sensor signals, such as cameras, radars or optical radars, is: a rationality test is performed. It is thus possible to detect a faulty signal in the event of a fault. In the event of a fault, the damage is kept as small as possible by driving with reasonable information. Thus, the device is fail-safe, also known as fail-safe (fail-safe).
A first plausibility check is carried out on the first core and a second plausibility check is carried out on the second core, wherein the second plausibility check can be differentiated from the first plausibility check in terms of manner, which has the advantage that hardware and software faults can be detected by comparison on the third core. In principle, the first core and the second core calculate the same information, preferably in different ways. If a deviation from the result obtained with the second core is detected on the third core when comparing the result obtained with the first core, a hardware and/or software failure is present.
In a further development of the invention, the first core is designed to carry out a first plausibility check on the first information, the second information and at least one third information which is supplied to the security processor via the information interface, wherein the plausibility of the first information, the second information and the third information with respect to one another can be checked separately. Therefore, erroneous information can be recognized relatively easily. If the first information is, for example, legitimate for the second information and the third information, and the second information is legitimate for the third information, then no information is erroneous. Conversely, if the first information is not legitimate for the second information and is not legitimate for the third information, for example, but the second information is legitimate for the third information, then the first information is erroneous.
Advantageously, the second core is designed to carry out a second plausibility check on the first information, the second information and at least one third information which is supplied to the safety processor via the information interface, wherein the plausibility of the first information, the second information and the third information with respect to one another can be checked separately. The same advantages as for the first core are thus obtained for the second core. Further, the three pieces of information can be compared using the third core.
In a further development of the invention, the result of the first plausibility check performed on the first core and/or the result of the second plausibility check performed on the second core is a selective multiple of the information with a majority of plausibility. Here, those information that are too numerous unreasonable with respect to other information are erroneous. Voting is also known as Voting (Voting). In the event that the three messages are checked for plausibility with respect to one another and one of the three messages is identified as erroneous here, only two of the three messages are forwarded to the control interface for controlling the vehicle module. This multi-vote selection is also known as a 2oo3 vote, that is to say a two out of three (three) vote.
Preferably, the safety processor, in particular the first core, the second core and the third core, respectively, has a redundant power supply. Redundancy is the additional existence of functionally identical or similar resources of the technical system, when these resources are not needed in the normal case of fault-free operation. In case the power supply fails due to a failure, the device is in a controllable state by means of an additional redundant power supply. The entire secure processor with the first, second, and third cores fails when a voltage dip occurs in the only power supply to the secure processor. Such failures of a plurality of components occurring as the cause of each failure or as a result of each event are called common cause failures (common cause failures). Thus, the redundant power supplies prevent common cause failures due to voltage dips within the power supplies.
Preferably, the safety processor, in particular the first, second and third core, respectively, preferably has a monitoring device. A monitoring device, which is also known as a Watchdog (Watchdog), is a component of the system that monitors the functions of other components, in this case of the safety processor, in particular of the first, second and third cores. In the event of a possible fault being detected in this case, this is either signaled according to the safety protocol or a suitable jump instruction is introduced, which eliminates the unresolved problem. The term watchdog includes both hardware and software watchdog. Hardware watchdog is an electronic component that communicates with the component being inspected. A software watchdog is software for checking in the component to be checked, which checks whether all important program modules are implemented correctly within a predetermined time frame or whether any module needs to be processed for an impermissibly long time. The monitoring dog may be particularly useful in applications where security is important, and allows monitoring the compliance of the E/E system with ISO 26262.
Preferably, the information interface is a redundant information interface. An additional information interface is thus provided for the case of a failure of the information interface, which additional information interface keeps the device in a controllable state.
The controller for a vehicle according to the present invention has the device according to the present invention and a power processor, wherein an information interface of the device is arranged between the power processor and a safety processor, the controller being characterized in that: the power processor is provided with a detection device and an evaluation device; the detection device is designed to detect, that is to say to obtain, at least one first signal and one second signal; the evaluation device is designed to generate at least first information from the first signal and second information from the second signal; and at least first information generated by the first signal and second information generated by the second signal can be transmitted to the safety processor by means of the information interface for controlling the vehicle module. The controller according to the invention provides the advantages of: the information generated by the evaluation device from the signals is not used directly for controlling the vehicle module, but rather is checked for plausibility beforehand by means of the device according to the invention. It is thus achieved that the vehicle module is actuated with only reasonable information and without erroneous information.
According to a preferred embodiment of the invention, the power processor has at least one first channel and a second channel which is separate from the first channel, wherein a first signal can be detected in the first channel and first information can be generated from the detected first signal, and wherein a second signal can be detected in the second channel and second information which is independent of the first information can be generated. It is thus ensured that the first signal and the second signal are processed independently of each other. According to ISO standard 26262, interference free (freedom from interference) is therefore ensured. A failure in channel 2 does not cause a failure in channel 1 due to the independence and vice versa.
Preferably, the power processor, in particular the first channel and the second channel, respectively, or the detection device and the evaluation device, respectively, has a redundant power supply. The redundant power supply prevents common cause failures due to voltage dips within the power supply.
In a development of the invention, the power processor, in particular at least the first channel and the second channel, respectively, has a monitoring device, a so-called monitoring dog. The watchdog may be a hardware watchdog and/or a software watchdog.
According to a particularly preferred embodiment of the invention, the evaluation device has artificial intelligence. Artificial intelligence means mimicking human-like intelligence, that is, attempting to build or program a computer that can handle the problem itself. Artificial intelligence may be implemented, inter alia, using an artificial neural network. Artificial neural networks are algorithms implemented on electronic circuits and programmed on neural network models of the human brain. The functional units of an artificial neuron network are artificial neurons, the outputs (outputs) of which are usually obtained as the value of the activation function, evaluative via the sum of the weighted inputs (inputs) plus the systematic error, the so-called Bias (Bias). Artificial neural networks similar to the human brain can be taught or trained by testing a plurality of predetermined input quantities with different weighting factors and activation functions. Training artificial intelligence with a predetermined amount of input is called machine learning. One subset of machine Learning is Deep Learning, so-called Deep Learning (Deep Learning), in which a series of hierarchical layers of neurons, so-called hidden layers, are used in order to perform the process of machine Learning.
An evaluation device with artificial intelligence can process signals more efficiently than a deterministic evaluation device. In particular, the algorithms on which the artificial intelligence is based can be implemented on image processors called Graphics Processor units (GPU for short). The GPU has the advantage that multiple processes can be processed simultaneously in parallel, which increases the efficiency of the evaluation device.
Suitably, the signal detected by the detection means is a signal of an environment detection sensor, in particular a camera signal, a radar signal and/or a photoelectric radar signal. The environment detection sensor provides an input signal for the driver assistance system. If it is established with the device according to the invention, for example, that camera information is not reasonable for radar information, but for optical radar information is reasonable, and that radar information is not reasonable for optical radar information, the radar information is a wrong information.
Particularly preferred are vehicle modules of the vehicle domain, in particular infotainment systems, chassis, drives, interiors or security.
According to the invention, a driver assistance system is also provided, which has a controller according to the invention.
The controller according to the invention is used in the driver assistance method according to the invention. The driver assistance method according to the invention has the following steps:
-detecting a signal from the environment of the vehicle with a detection means of the power processor,
-evaluating the signals by means of an evaluation device and generating information from the signals in mutually separate channels of a power processor,
-relaying this information to the secure processor via the information interface,
-performing a first plausibility check of each information with each further information on a first core of the first security processor, wherein the information that is more than half reasonable in respect of the further information is selected in many times,
-performing a second plausibility check of each information with each further information on a second core of the security processor, wherein the information that is more than half reasonable in respect of the further information is selected in many times,
-forwarding the result of the first plausibility check performed on the first core and the result of the second plausibility check performed on the second core to a third core of the security processor,
-comparing the result of the first rationality check with the result of the second rationality check on the third core,
-forwarding information that the rationality was confirmed in the first rationality check and in the second rationality check to the control interface, and
-controlling the vehicle module with information that is determined to be reasonable.
With the driver assistance method according to the invention, it is ensured that only those information classified as safe by means of the plausibility check are used for controlling the vehicle module.
Drawings
The invention is explained in detail with the aid of the following figures. Wherein:
FIG. 1: an embodiment of the apparatus according to the invention is shown;
FIG. 2: an embodiment of a controller according to the present invention is shown; and is
FIG. 3: an embodiment of a driver assistance method according to the invention is shown.
The same reference numbers here denote identical or functionally identical features. For the sake of clarity, only the respective important reference numerals have been designated in the respective figures.
Detailed Description
Fig. 1 shows a device 1 according to the invention for controlling a vehicle module 2. The device 1 has an information interface 20, a secure processor 10 and a control interface 21. The first information 31, the second information 32 and the third information 33 are conducted to the secure processor 10 via the information interface 20. The secure processor 10 has a first core 11, a second core 12 and a third core 13. Each individual core is connected to a redundant power supply 14. In addition, each core is inspected by a monitoring device 15.
It is also within the scope of the invention that the first information 31, the second information 32 and the third information 33 enter the device 1 as objects of two channels, respectively.
In the first core 11, the mutual rationality of the information 31, 32 and 33 is checked in the first rationality check 30. In the second core 12, the mutual rationality of the information 31, 32 and 33 is checked by means of a second rationality check 40 different from the first rationality check 30.
For the case where the first information 31 is the environment information detected with the camera, the second information 32 is the information detected with the radar, and the third information 33 is the environment information detected with the optical radar, the decision making is based on the following schematic diagram (decision making multiple schematic diagram):
if camera information 31 is not reasonable with radar information 32, but not reasonable with optical radar information 33, and radar information 32 is not reasonable with optical radar information 33, device 1 recognizes that: the information 33 of the optical radar is erroneous.
The information 31, 32 and 33 which are respectively determined in the first plausibility check 30 and the second plausibility check 40 as being plausible to one another are forwarded to the third core 13, in which the comparison 45 of the entered information takes place. If the information ascertained to be plausible to one another in the first core 11 is also recognized as plausible in the second core 12 (this can be ascertained by means of the comparison 45), the vehicle module 2 is controlled by the control interface 21 using the plausible information.
If the result of the comparison 45 is that the information ascertained as being plausible from one another in the first core 11 deviates from the information ascertained as being plausible from one another in the second core 12, a hardware and/or software fault is identified by the third core 13.
Fig. 2 shows an embodiment of the controller 3 according to the invention. The power processor 50 and the safety processor 10 are combined together by means of the controller 3 via an information interface 20 arranged between the power processor 50 and the safety processor 10.
The power processor has detection means 51 and evaluation means 52. The detection means 51 have a redundant power supply 14. The first signal 53, the second signal 54 and the third signal 55 are collected in the detection means. The signals 53, 54 and 55 may for example be signals of environment detection sensors. For example, the first signal 53 may be a signal of a camera sensor, the second signal 54 a signal of a radar sensor, and the third signal 55 a signal of an optical radar sensor.
The signals 53, 54 and 55 are detected and processed in channels of the power processor that are separate from each other, i.e. in a first channel 56, a second channel 57 and a third channel 58.
In the evaluation device 52, corresponding information 31, 32, 33 is generated from the signals 53, 54 and 55, which information arrives at the security processor 1 via the information interface 20. The information from e.g. the camera signal 53 is then the corresponding camera image. The camera image may be a front area image, a rear area image or a side area image of the vehicle in relation to the camera used.
The evaluation means 52 have artificial intelligence. Artificial intelligence is here an artificial neural network, which is trained for recognizing traffic conditions.
The function of the power processor 50 is to monitor the dog 15 for checks.
A high performance processor is used as the power processor 50 in particular. The Chip on which the Power processor 50 is implemented is also referred to as a Performance Chip (Performance Chip) or a Power Chip (Power Chip). A processor with less power may be used as the secure processor.
Fig. 3 shows an embodiment of a driver assistance method 5 according to the invention, which can be implemented with the driver assistance system 4. The signals 53, 54 and 55 are first detected by means of the detection device 51 in a method step 60 of detection. An evaluation 61 of the signals 53, 54 and 55 is then carried out in the evaluation device 52. The detection 60 of the signals 53, 54 and 55 and the evaluation 61 into the information 31, 32 and 33 are performed in the power processor 50.
The evaluated information 31, 32 and 33 is transmitted to the secure processor 10 in a method step 62 of forwarding the information via the information interface.
The following method steps are carried out in the secure processor 10: the implementation 63 of the first plausibility check 30 takes place in the first core 11. The implementation 64 of the second rationality check 40 is performed in the second core 12. The result of the first plausibility check 30 performed on the first core 11 and the result of the second plausibility check 40 performed on the second core 12 are conducted in a transferred method step 65 to the third core 13 of the security processor. A comparison 66 of the results of the rational checks 30 and 40 is made in the third core 13 of the safety processor 10. The information that the plausibility was confirmed in the first plausibility check 30 and the second plausibility check 40 is then forwarded 67 to the vehicle module 2 via the control interface 22, wherein the vehicle module 2 is controlled in a controlled method step 68 with the information that was confirmed to be plausible.
Within the scope of the invention, the vehicle module can be actuated in such a way that the actuation is haptically perceptible. For example, the steering wheel can be actuated in such a way that it is vibrated and the driver perceives this with his sense of touch, if it is determined that the driving trajectory is not complied with. The actuation can also be effected visually and acoustically or via an actuator, in particular an electromechanical actuator.
List of reference numerals
1 apparatus
2 vehicle module
3 controller
4 driver assistance system
5 driver assistance method
10 secure processor
11 first core
12 second core
13 third core
14 power supply
15 monitoring device
20 information interface
21 control interface
30 first plausibility check
31 first information
32 second information
33 third information
40 second plausibility check
45 comparison
50 power processor
51 detection device
52 evaluation device
53 first signal
54 second signal
55 third signal
56 first channel
57 second channel
58 third channel
60 detection
61 evaluation of
62 relay information
63 carry out a first plausibility check
64 perform a second rationality check
65 rotary device
66 comparison
67 relay reasonable information
68 driving and controlling

Claims (16)

1. Device (1) for controlling a vehicle module (2), having a safety processor (10) with at least one information interface (20) at an input of the safety processor (10) and a control interface (21) at an output of the safety processor (10), wherein the safety processor (10) has at least one first core (11), a second core (12) and a third core (13), the device having the further features of:
a. the first core (11) is designed to carry out a first plausibility check (30) of at least one first message (31) conducted to the secure processor (10) via the information interface (20) and at least one second message (32) conducted to the secure processor (10) via the information interface (20);
b. the second core (12) is designed to carry out a second plausibility check (40) of the first information (31) and the second information (32);
c. the third core (13) is designed to compare (45) the result of the first plausibility check (30) performed on the first core (11) to the third core (13) with the result of the second plausibility check (40) performed on the second core (12) to the third core (13) and to forward information (31, 32) that plausibility is confirmed in the first plausibility check (30) and in the second plausibility check (40) to a control interface (22), wherein the vehicle module (2) can be controlled via the control interface (22) using the information (31, 32) that is confirmed to be plausible.
2. Device (1) according to claim 1, characterized in that the first core (11) is configured for carrying out a first plausibility check (40) for the first information (31), the second information (32) and at least one third information (33) fed to the secure processor (10) via the information interface (20), wherein the plausibility of the first information (31), the second information (32) and the third information (33) with respect to each other is separately checkable.
3. Device (1) according to any one of the preceding claims, characterized in that the second core (11) is configured for carrying out a second rationality check (40) for the first information (31), the second information (32) and at least one third information (33) conveyed to the secure processor (10) via the information interface (20), wherein the rationality of the first information (31), the second information (32) and the third information (33) with respect to each other is separately checkable.
4. The apparatus (1) according to claim 2 and/or claim 3, characterized in that the result of a first rationality check (30) carried out on said first core (11) and/or the result of a second rationality check (40) carried out on said second core (12) is a majority of the choices of information (31, 32) having a majority of rationality.
5. The device (1) according to any one of the preceding claims, characterized in that the secure processor (10), in particular the first core (11), the second core (12) and the third core (13), respectively, has a redundant power supply (14).
6. The device (1) according to any one of the preceding claims, characterized in that the safety processor (10), in particular the first core (11), the second core (12) and the third core (13), respectively, has a monitoring device (15).
7. The device (1) according to any one of the preceding claims, characterized in that the information interface (20) is a redundant information interface (20).
8. Controller (3) for a vehicle module (2), having a device (1) according to any one of the preceding claims and a power processor (50), wherein an information interface (20) of the device (1) is arranged between the power processor (50) and a safety processor (10), characterized in that:
a. the power processor (50) has a detection device (51) and an evaluation device (52);
b. the detection device (51) is designed to detect at least one first signal (53) and one second signal (54);
c. the evaluation device (52) is designed to generate at least a first information (31) from the first signal (53) and a second information (32) from the second signal (54), and
d. at least first information (31) generated by the first signal (53) and second information (32) generated by the second signal (54) can be transmitted to the safety processor by means of the information interface (20) for controlling the vehicle module (2).
9. The controller (3) according to claim 8, wherein the power processor (50) has at least one first channel (56) and a second channel (57) separate from the first channel (56), wherein the first signal (53) is detectable in the first channel (56) and the first information (31) is producible from the detected first signal, and wherein the second signal (54) is detectable in the second channel (57) and the second information (32) is producible independently of the first information (31).
10. The controller (3) according to claim 8 or 9, characterized in that the power processor (50), in particular the first channel (56) and the second channel (57), respectively, or the detection device (51) and the evaluation device (52), respectively, preferably has a redundant power supply (14).
11. The controller (3) according to any one of claims 8 to 10, characterized in that the power processor (10), in particular at least the first channel (56) and the second channel (57), respectively, has a monitoring device (15).
12. The controller (3) according to any one of claims 8 to 11, characterized in that the evaluation device (52) has artificial intelligence.
13. Controller (3) according to any one of claims 8 to 12, characterized in that the signal (53, 54, 55) detected by the detection means (51) is a signal (53, 54, 55) of an environment detection sensor, in particular a camera signal (53), a radar signal (54) and/or an optical radar signal (55).
14. The controller (3) according to any of claims 8 to 13, characterized in that the vehicle module (2) is a vehicle domain, in particular an infotainment system, a chassis, a drive, an interior and/or a security.
15. Driver assistance system (4) with a controller (3) according to any one of claims 8 to 14.
16. Driver assistance method (5) in which a controller (3) having the features according to any one of claims 8 to 14 is used, and which has the following steps:
a. detecting (60) with a detection device (51) of a power processor (50) a signal (53, 54, 55) from an environment of the vehicle;
b. evaluating (61) the signals (53, 54, 55) by means of an evaluation device (52) and generating information (31, 32, 33) from the signals (53, 54, 55) in mutually separate channels (56, 57, 58) of the power processor (50);
c. -relaying (62) said information (31, 32, 33) to a secure processor (10) via an information interface (20);
d. -implementing (63), on a first core (11) of the secure processor (10), a first plausibility check (30) of each information (31, 32, 33) with each further information (31, 32, 33), wherein half as many decisions are selected of the information (31, 32, 33) that is reasonable in respect of the further information (31, 32, 33);
e. -implementing (64), on a second core (12) of the secure processor (10), a second plausibility check (40) of each information (31, 32, 33) with each further information (31, 32, 33), wherein half the information (31, 32, 33) that is reasonable in terms of the further information (31, 32, 33) is selected in a number of decisions;
f. -relaying (65) the result of a first rationality check (30) performed on the first core (11) and the result of a second rationality check (40) performed on the second core (12) to a third core (13) of the security processor (10);
g. -comparing (66) the result of the first rationality check (30) with the result of the second rationality check (40) on the third core (13);
h. -forwarding (67) to the control interface (21) information (31, 32) that the rationality was confirmed in the first rationality check (30) and in the second rationality check (40); and is
i. -controlling (68) the vehicle module (2) with information (31, 32) that is determined to be plausible.
CN201880040724.5A 2017-06-19 2018-05-15 Device and method for controlling a vehicle module Pending CN110770707A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
DE102017210156.3 2017-06-19
DE102017210156.3A DE102017210156B4 (en) 2017-06-19 2017-06-19 Device and method for controlling a vehicle module
PCT/EP2018/062496 WO2018233934A1 (en) 2017-06-19 2018-05-15 Device and method for controlling a vehicle module

Publications (1)

Publication Number Publication Date
CN110770707A true CN110770707A (en) 2020-02-07

Family

ID=62222629

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201880040724.5A Pending CN110770707A (en) 2017-06-19 2018-05-15 Device and method for controlling a vehicle module

Country Status (6)

Country Link
US (1) US20210146939A1 (en)
EP (1) EP3642717A1 (en)
JP (1) JP2020524352A (en)
CN (1) CN110770707A (en)
DE (1) DE102017210156B4 (en)
WO (1) WO2018233934A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102019202527A1 (en) * 2019-02-25 2020-08-27 Robert Bosch Gmbh Security system and method for operating a security system
DE102020123920B3 (en) 2020-09-15 2021-08-19 Dr. Ing. H.C. F. Porsche Aktiengesellschaft Method and system for the automatic labeling of radar data

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19527323A1 (en) * 1995-07-26 1997-01-30 Siemens Ag Circuit arrangement for controlling a device in a motor vehicle
DE19829126A1 (en) 1997-11-22 1999-05-27 Itt Mfg Enterprises Inc Electromechanical braking system for cars
DE10148348B4 (en) * 2001-09-29 2004-04-15 Daimlerchrysler Ag Redundant power supply for three-channel electrical consumers
DE102006062300B4 (en) 2006-12-18 2011-07-21 Arnold, Roland, 72539 Circuit for controlling an acceleration, braking and steering system of a vehicle
DE102010013349B4 (en) 2010-03-30 2013-06-13 Eads Deutschland Gmbh Computer system and method for comparing output signals
DE102010013943B4 (en) 2010-04-06 2018-02-22 Audi Ag Method and device for a functional test of an object recognition device of a motor vehicle
DE102013202253A1 (en) 2013-02-12 2014-08-14 Paravan Gmbh Circuit for controlling an acceleration, braking and steering system of a vehicle
DE102013021231A1 (en) * 2013-12-13 2015-06-18 Daimler Ag Method for operating an assistance system of a vehicle and vehicle control unit
DE102014217321A1 (en) * 2014-08-29 2016-03-03 Continental Teves Ag & Co. Ohg Microcontroller system and method for safety-critical motor vehicle systems and their use
FR3034882B1 (en) * 2015-04-07 2018-12-07 Valeo Equipements Electriques Moteur METHOD FOR IMPLEMENTING A FUNCTION OF A MOTOR VEHICLE CONFORMING TO ASIL STANDARD LEVELS, CORRESPONDING SYSTEM AND MOTOR VEHICLE COMPRISING SUCH A SYSTEM
EP3085596B1 (en) * 2015-04-20 2017-11-29 Autoliv Development AB A vehicle safety electronic control system

Also Published As

Publication number Publication date
DE102017210156B4 (en) 2021-07-22
WO2018233934A1 (en) 2018-12-27
JP2020524352A (en) 2020-08-13
EP3642717A1 (en) 2020-04-29
US20210146939A1 (en) 2021-05-20
DE102017210156A1 (en) 2018-12-20

Similar Documents

Publication Publication Date Title
US20160103450A1 (en) Fail-Safe EE Architecture for Automated Driving
JP3965410B2 (en) Redundant vehicle control device
CN107908186B (en) Method and system for controlling operation of unmanned vehicle
CN110770707A (en) Device and method for controlling a vehicle module
US9457815B2 (en) Multi-level vehicle integrity and quality control mechanism
CN105191222A (en) Device and method for the autonomous control of motor vehicles
US20200070847A1 (en) Electronic Control Device for Vehicle
CN107531250A (en) Vehicle safety electronic control system
US20180052453A1 (en) Fault-tolerant method and device for controlling an autonomous technical system through diversified trajectory planning
KR20200038478A (en) Systems and methods for redundant wheel speed detection
US20210133486A1 (en) Fusion of data of multiple sensors for object identification
Kodali et al. Fault diagnosis in the automotive electric power generation and storage system (EPGS)
US10571920B2 (en) Fault-tolerant method and device for controlling an autonomous technical system based on a consolidated model of the environment
Huang et al. Fault tolerant steer-by-wire systems: An overview
CN105083295A (en) System and method for diagnosing failure of smart sensor or smart actuator of vehicle
CN110785742A (en) Device and method for actuating a vehicle module as a function of a status signal
CN110077420A (en) A kind of automatic driving control system and method
CN110678375A (en) Vehicle control device and vehicle control system
Hammett et al. Achieving 10-9 dependability with drive-by-wire systems
CN107229534A (en) Mix dual duplexed failure mode of operation and the general introduction to any number of failure
US20210237763A1 (en) Operating method for an autonomously operatable device, and an autonomously operatable device
CN103253274B (en) First driver expects the method and control system of the credibility Analysis of sensor
DE102012221277A1 (en) Device for controlling operation and movement of hybrid vehicle, has signal comparison modules comparing output signals of sensors with each other to determine whether abnormality of sensors or micro-processing units is present
WO2020166253A1 (en) Vehicle control device and electronic control system
KR20200022674A (en) Apparatus for controlling fail-operational of vehicle, and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination